Passed
Pull Request — master (#1275)
by Dante
03:40 queued 02:10
created

PermsHelper::canLock()   A

Complexity

Conditions 1
Paths 1

Size

Total Lines 3
Code Lines 1

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 1
eloc 1
nc 1
nop 0
dl 0
loc 3
rs 10
c 0
b 0
f 0
1
<?php
2
/**
3
 * BEdita, API-first content management framework
4
 * Copyright 2021 ChannelWeb Srl, Chialab Srl
5
 *
6
 * This file is part of BEdita: you can redistribute it and/or modify
7
 * it under the terms of the GNU Lesser General Public License as published
8
 * by the Free Software Foundation, either version 3 of the License, or
9
 * (at your option) any later version.
10
 *
11
 * See LICENSE.LGPL or <http://gnu.org/licenses/lgpl-3.0.html> for more details.
12
 */
13
namespace App\View\Helper;
14
15
use BEdita\WebTools\ApiClientProvider;
16
use Cake\Utility\Hash;
17
use Cake\View\Helper;
18
19
/**
20
 * Helper class to handle permissions on modules.
21
 */
22
class PermsHelper extends Helper
23
{
24
    /**
25
     * API methods allowed in current module
26
     *
27
     * @var array
28
     */
29
    protected $current = [];
30
31
    /**
32
     * API methods allowed in all modules
33
     *
34
     * @var array
35
     */
36
    protected $allowed = [];
37
38
    /**
39
     * Permissions on folders enabled flag
40
     *
41
     * @var bool
42
     */
43
    protected $permissionsOnFolders = false;
44
45
    /**
46
     * {@inheritDoc}
47
     *
48
     * Init API and WebAPP base URL
49
     *
50
     * @return  void
51
     */
52
    public function initialize(array $config): void
53
    {
54
        $modules = (array)$this->_View->get('modules');
55
        // using foreach instead of Hash::combine
56
        // to avoid RuntimeError "Hash::combine() needs an equal number of keys + values"
57
        foreach ($modules as $name => $module) {
58
            if (Hash::check($module, 'hints.allow')) {
59
                $this->allowed[$name] = Hash::get($module, 'hints.allow');
60
            }
61
        }
62
        $currentModule = (array)$this->_View->get('currentModule');
63
        $this->current = (array)Hash::get($currentModule, 'hints.allow');
64
        $schema = (array)$this->_View->get('foldersSchema');
65
        $this->permissionsOnFolders = in_array('Permissions', (array)Hash::get($schema, 'associations'));
66
    }
67
68
    /**
69
     * Check lock/unlock permission.
70
     *
71
     * @return bool
72
     */
73
    public function canLock(): bool
74
    {
75
        return $this->userIsAdmin();
76
    }
77
78
    /**
79
     * Check create permission.
80
     *
81
     * @param string|null $module Module name
82
     * @return bool
83
     */
84
    public function canCreate(?string $module = null): bool
85
    {
86
        return $this->isAllowed('POST', $module) && $this->userIsAllowed($module);
87
    }
88
89
    /**
90
     * Return modules that can be created by the authenticated user.
91
     *
92
     * @return array
93
     */
94
    public function canCreateModules(): array
95
    {
96
        $modules = array_keys((array)$this->_View->get('modules'));
97
98
        return array_values(
99
            array_filter(
100
                $modules,
101
                function ($module) {
102
                    return $this->canCreate($module);
103
                }
104
            )
105
        );
106
    }
107
108
    /**
109
     * Check delete permission.
110
     *
111
     * @param array $object The object
112
     * @return bool
113
     */
114
    public function canDelete(array $object): bool
115
    {
116
        $locked = (bool)Hash::get($object, 'meta.locked', false);
117
        if ($locked === false) {
118
            $locked = $this->isLockedByParents((string)Hash::get($object, 'id'));
119
        }
120
        $module = (string)Hash::get($object, 'type');
121
122
        return !$locked && $this->isAllowed('DELETE', $module) && $this->userIsAllowed($module);
123
    }
124
125
    /**
126
     * Check save permission.
127
     *
128
     * @param string|null $module Module name
129
     * @return bool
130
     */
131
    public function canSave(?string $module = null): bool
132
    {
133
        return $this->userIsAdmin() || ($this->isAllowed('PATCH', $module) && $this->userIsAllowed($module));
134
    }
135
136
    /**
137
     * Map of modules and their save permissions for the authenticated user.
138
     *
139
     * @return array
140
     */
141
    public function canSaveMap(): array
142
    {
143
        $modules = array_keys((array)$this->_View->get('modules'));
144
        $map = [];
145
        foreach ($modules as $module) {
146
            $map[$module] = $this->canSave($module);
147
        }
148
149
        return $map;
150
    }
151
152
    /**
153
     * Check read permission.
154
     *
155
     * @param string|null $module Module name
156
     * @return bool
157
     */
158
    public function canRead(?string $module = null): bool
159
    {
160
        return $this->isAllowed('GET', $module);
161
    }
162
163
    /**
164
     * Check if a method is allowed on a module.
165
     *
166
     * @param string $method Method to check
167
     * @param string|null $module Module name, if missing or null current module is used.
168
     * @return bool
169
     */
170
    protected function isAllowed(string $method, ?string $module = null): bool
171
    {
172
        if (empty($module)) {
173
            if (empty($this->current)) {
174
                return true;
175
            }
176
177
            return in_array($method, $this->current);
178
        }
179
180
        $allowed = (array)Hash::get($this->allowed, $module);
181
182
        return in_array($method, $allowed);
183
    }
184
185
    /**
186
     * Access string (can be 'read', 'write', 'hidden') per role and module.
187
     *
188
     * @param array $accessControl The access control array
189
     * @param string $roleName The role name
190
     * @param string $moduleName The module name
191
     * @return string
192
     */
193
    public function access(array $accessControl, string $roleName, string $moduleName): string
194
    {
195
        $roleAccesses = Hash::get($accessControl, $roleName, []);
196
        if (empty($roleAccesses)) {
197
            return 'write';
198
        }
199
        $hiddenModules = Hash::get($roleAccesses, 'hidden', []);
200
        if (in_array($moduleName, $hiddenModules)) {
201
            return 'hidden';
202
        }
203
        $readonlyModules = Hash::get($roleAccesses, 'readonly', []);
204
205
        return in_array($moduleName, $readonlyModules) ? 'read' : 'write';
206
    }
207
208
    /**
209
     * Return true if authenticated user has role admin
210
     *
211
     * @return bool
212
     */
213
    public function userIsAdmin(): bool
214
    {
215
        return in_array('admin', $this->userRoles());
216
    }
217
218
    /**
219
     * Check permissions for user if object is a folder.
220
     *
221
     * @param string|null $module The module, if passed.
222
     * @return bool
223
     */
224
    public function userIsAllowed(?string $module): bool
225
    {
226
        $objectType = !empty($module) ? $module : $this->_View->get('objectType');
227
        if ($this->permissionsOnFolders === false || $objectType !== 'folders' || $this->userIsAdmin()) {
228
            return true;
229
        }
230
231
        $object = $this->_View->get('object');
232
        $permsRoles = (array)Hash::get((array)$object, 'meta.perms.roles');
233
        if (empty($permsRoles)) {
234
            return true;
235
        }
236
237
        return !empty(array_intersect($permsRoles, $this->userRoles()));
238
    }
239
240
    /**
241
     * Return authenticated user roles
242
     *
243
     * @return array
244
     */
245
    public function userRoles(): array
246
    {
247
        /** @var \Authentication\Identity|null $identity */
248
        $identity = $this->_View->get('user');
249
250
        return empty($identity) ? [] : (array)$identity->get('roles');
251
    }
252
253
    /**
254
     * Return true if object is locked by parents.
255
     * When user is admin, return false.
256
     * When user is not admin, return true if at least one parent is locked for user.
257
     * Return false otherwise
258
     *
259
     * @param string $id The object id
260
     * @return bool
261
     */
262
    public function isLockedByParents(string $id): bool
263
    {
264
        if ($this->permissionsOnFolders === false || $this->userIsAdmin()) {
265
            return false;
266
        }
267
        $apiClient = ApiClientProvider::getApiClient();
268
        $response = (array)$apiClient->get(sprintf('/objects/%s?include=parents', $id));
269
        $included = (array)Hash::get($response, 'included', []);
270
        if (empty($included)) {
271
            return false;
272
        }
273
        $roles = $this->userRoles();
274
        foreach ($included as $data) {
275
            $metaPermsRoles = (array)Hash::get($data, 'meta.perms.roles');
276
            if (empty($metaPermsRoles)) {
277
                continue;
278
            }
279
            if (count(array_intersect($roles, $metaPermsRoles)) === 0) {
280
                return true;
281
            }
282
        }
283
284
        return false;
285
    }
286
}
287